On January 10, the Federal Trade Commission’s final rule, amending the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA), became effective. We wrote about the final rule when it first published in October 2021 (see here). As a practical matter, the amendments will likely require many financial institutions to revisit and revise their policies and procedures, including, for example, in the areas of risk assessments, vendor oversight, and incident response plans.

To refresh, the final rule, among other things:

  • Expands the definition of ”financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities, which notably brings ”finders” — companies that bring together buyers and sellers of a product or service — within the Safeguards Rule’s scope.
  • Adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring (1) designation of a specific qualified individual responsible for overseeing and implementing the information security program, (2) risk assessments, and (3) periodic reports to boards of directors or governing bodies.
  • Adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as (1) encryption of customer information over external networks and at rest, (2) multifactor authentication, and (3) secure disposal of customer information; and
  • Exempts financial institutions that collect customer information from fewer than 5,000 consumers from certain requirements.

While the amended Safeguards Rule became effective on January 10, the following provisions do not become effective until December 9, 2022:

  • The requirement to designate a qualified individual;
  • The specific requirements for written risk assessments (please note that the requirement to perform risk assessments is effective now — only the criteria mandated by the final rule are not yet effective);
  • The specific requirements related to implementation of safeguards based on risk assessments, which include the provisions on encryption and multifactor authentication;
  • The requirement that “information systems” undergo continuous monitoring or periodic penetration testing and vulnerability assessments;
  • Training and operational requirements for security personnel;
  • The requirement to perform periodic assessments of service providers;
  • The requirement to establish a written incident response plan to respond to and recover from security events materially affecting the confidentiality, integrity, or availability of customer information; and
  • The requirement that the qualified individual’s periodic reports be given in writing, regularly and at least annually, to the board of directors.

As noted above, the breadth of parties considered to be “financial institutions” subject to the Safeguards Rule has become broader. Among others, entities are subject to the Safeguards Rule if they engage in the following:

  • Traditional banking functions;
  • Making, acquiring, brokering, or servicing loans or other extensions of credit;
  • Real estate and personal property appraising;
  • Collection agency services;
  • Credit bureau services;
  • Asset management, servicing, and collection activities;
  • Leasing personal or real property;
  • Real estate settlement servicing; and
  • Bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.

Affected entities should be proactive in implementing the significant operational requirements of the revised Safeguards Rule. The requirements are not light lifts, and the countdown clock to compliance is ticking